The place where I page to when my brain is full up of stuff about the Microsoft platform

Evaluate This–File Classification

In my last post & screen cast I showed how Dynamic Access Control (DAC) worked; the business of matching a users claims to the properties of a file (Resource Property in DAC), however the problem then becomes how do I correctly tag my files so that DAC works. You shouldn’t necessarily be doing this; it’s the users data and you are just the curator of that data. The users aren’t going to have the time or inclination to do this even if they are working in a compliance or regulated environment. However they might be able to give you some rules which you could apply to the files and this is what Data Classification does.

File Classification is part of the part of File System resource Manager (FSRM) role service and is new for Windows Server 2012 where before FSRM was just there to only allow certain file type to be uploaded or to grant quotas to users to restrict how much and of what could be stored on your servers. The secret sauce is then to link the resource property you set using the classification rule to a Central Access Rule in DAC

I used a simple expression “Top Secret” in my screen cast but you can write RegEx to look for things like credit card details, NI numbers and appropriately protect those documents automatically using this technique.

File Classification in a production environment would typically run as a scheduled job, so to be clear this does not magically happen on the fly as users save documents onto your file servers.